Wallets tied to CDK ransom group received $25 million two days after attack
The ransomware group linked to a June cyberattack against auto industry software provider CDK Global received a payment of more than $25 million two days after the attack that hobbled software used by roughly 15,000 car dealerships in the U.S. became public, researchers told CyberScoop.
A cryptocurrency wallet likely controlled by BlackSuit — the ransomware group believed to be responsible for the attack — received approximately 387 bitcoin on June 21, worth roughly $25 million, researchers with blockchain intelligence firm TRM Labs told CyberScoop.
The evidence uncovered by TRM Labs is firmest evidence yet to indicate that CDK Global paid a ransom in order to resolve the attack on its systems, though TRM’s findings do not conclusively prove that the payment came from CDK.
Representatives for the company and its parent firm, Brookfield Business Partners, have refused to answer questions about whether CDK or a representative made a ransom payment.
If confirmed, the $25 million payment would be the second-largest ransom payment on record, trailing only the $40 million paid by CNA Financial Corp. in 2021. It would be the second known ransom payment to cross $20 million this year, after UnitedHealth Group paid attackers tied to the now defunct ALPHV ransomware operation $22 million to resolve an attack on its Change Healthcare subsidiary.
After the $25 payment was made to the wallet controlled by BlackSuit, roughly $15 million of the funds “moved through a complex set of nearly 200 transactions following a common money laundering typology, then was distributed across more than 20 addresses at five different global exchanges,” the firm told CyberScoop in an email.
A little more than $6 million in funds were also moved from the initial wallet and deposited across more than 15 addresses across four global exchanges, with movements continuing through Tuesday, TRM Labs said.
One of the wallets that received a deposit appears to belong to an active BlackSuit affiliate, the researchers added. That address had previously received funds from “several known BlackSuit and Wizard Spider victim payments,” the researchers said.
Wizard Spider is a name used to track a separate set of longrunning financially-motivated cybercriminal activity with ties to the Russian cybercrime ecosystem, industry and government researchers have said.
Another source familiar with the matter confirmed that an approximately $25 million payment was made to a BlackSuit-linked wallet.
The payment came the same day Bloomberg reported that the CDK Global attackers were demanding “tens of millions of dollars in ransom” and that the company was planning to make the payment. CNN was the first to report the $25 million transaction.
CDK Global, which is owned by Canada-based Brookfield Business Partners, began investigating a “cyber incident” the morning of June 19 and shut down “most” of its systems that day “out of an abundance of caution,” followed by a second incident that day, CDK Senior Manager of External Communications Lisa Finney told CyberScoop June 20. Tony Macrito, CDK Global’s senior director of communications, told CyberScoop Friday that all of the company’s major applications are now available.
The incident led to widespread disruption at auto dealerships across the country. At least six publicly traded auto dealership firms said in filings with the Securities and Exchange Commission that the incident had affected their business operations.
Brookfield Business Partners said in a July 3 press release that the company did not expect the incident to have a material impact on its business. Companies are required by the SEC to “make a materiality determination” following a ransomware attack and, if it determines an incident is material, disclose it within four days of the determination.
